Saturday, May 03, 2008

U.S. Toll in Iraq


Via The Boston Globe (AP).

As of Saturday, May 3, 2008, at least 4,071 members of the U.S. military have died since the beginning of the Iraq war in March 2003, according to an Associated Press count. The figure includes eight military civilians. At least 3,315 died as a result of hostile action, according to the military's numbers.

The AP count is four more than the Defense Department's tally, last updated Friday at 10 a.m. EDT.

More here.

And as always, the Iraq Coalition Casualty Count keeps the grim watch on their website here.

Honor the Fallen.

U.S. Senator: China Wants Hotels to Filter Internet

Grant Gross writes on PC World:


The Chinese government is demanding that U.S.-owned hotels there filter Internet service during the upcoming Olympic Games in Beijing, U.S. Senator Sam Brownback has alleged.

The Chinese government is requiring U.S.-owned hotels to install Internet filters to "monitor and restrict information coming in and out of China," Brownback said Thursday. "This is an insult to the spirit of the games and an affront to American businesses," he said. "I call on China to immediately rescind this demand."

Brownback, a Kansas Republican, made the allegation during a Thursday press conference on China's human rights record. Brownback joined six other lawmakers and several human rights groups in criticizing China's human rights record.

Brownback said he got the information on Internet filtering from "two different reliable but confidential sources." Brownback's media office didn't immediate return a phone call on Friday asking for more details.

More here.

Hat-tip: Flying Hamster

Hundreds of Laptops Missing at State Department, Audit Finds - UPDATE

Jeff Stein writes on CQ Politics:

Hundreds of employee laptops are unaccounted for at the U.S. Department of State, which conducts delicate, often secret, diplomatic relations with foreign countries, an internal audit has found.

As many as 400 of the unaccounted for laptops belong to the department’s Anti-Terrorism Assistance Program, according to officials familiar with the findings.

The program provides counterterrorism training and equipment, including laptops, to foreign police, intelligence and security forces.

Ironically, the Anti-Terrorism Assistance Program is administered by the State Department’s Bureau of Diplomatic Security (DS), which is responsible for the security of the department’s computer networks and sensitive equipment, including laptops, among other duties. It also protects foreign diplomats during visits here.

DS officials have been urgently dispatching vans around the bureau’s Washington-area offices to collect and register employee laptops, said department sources who could not speak on the record for fear of being fired.

More here.

Hat-tip: Michael Tanji

UPDATE: 6 May 2008, 21:29 PDT: The State Department says the have found the missing computers. -ferg

UK: Spy Chiefs Target Travel Cards

Richard Elias writes on News.Scotsman.com:

Security chiefs are demanding the right to monitor the movement of bus, train and car passengers in Scotland as part of the battle against terrorism.

MI5 wants to use live information from a new generation of swipe-card payment systems planned for buses, trams and trains, as well as automatic number-plate recognition, to plot the movement of suspects as they travel.

It argues the information could be used to foil terrorist incidents such as last year's Glasgow Airport attack. But civil rights campaigners say the plan is another step towards a "surveillance society" and is open to abuse.

Currently, the security services need to make specific requests to monitor an individual, but they want to be able to watch anyone without seeking permission first.

More here.

Friday, May 02, 2008

Late Night Flashback: The Beatles - I Am The Walrus



Enjoy.

- ferg

U.S.-Belarus Row Escalates After Cyber Attack, Diplomatic Expulsions

Shaun Waterman writes for UPI:

The U.S. State Department said Thursday it had not yet decided what action, if any, it would take in response to the Belarusian expulsion of U.S. diplomats this week.

The expulsions are the latest step in an escalating confrontation between Washington and Minsk following the imposition last December of U.S. sanctions against a state-owned energy conglomerate. They came on the heels of a cyberattack on the Belarusian site of U.S.-supported broadcaster Radio Free Europe/Radio Liberty, which State Department officials blamed on the regime.

The expulsions reduced the size of the U.S. diplomatic staff in Minsk to four, department spokesman Tom Casey told reporters.

More here.

Joint International Terrorism Task Force: Policing the 'War on Drugs'

Mission Creep:

Canadian defense officials say a three-ship Canadian task force recently took part in a multinational counter-drug operation in the Caribbean.

Official say the drug interdiction operation in the Caribbean Basin and East Pacific Ocean was part of an overall counter-terrorism initiative with the Joint Interagency Task Force. The operation, called Operation Altair, stopped the flow of more than 200 tons of cocaine traffic, Canadian National Defense reported.

More here.

What's Up with the Secret Cybersecurity Plans, Senators Ask DHS

Ryan Singel writes on Threat Level:

The government's new cyber-security "Manhattan Project" is so secretive that a key Senate oversight panel has been reduced to writing a letter to beg for answers to the most basic questions, such as what's going on, what's the point and what about privacy laws.

The Senate Homeland Security committee wants to know, for example, what is the goal of Homeland Security's new National Cyber Security Center. They also want to know why it is that in March, DHS announced that Silicon Valley evangelist and security novice Rod Beckstrom would direct the center, when up to that point DHS said the mere existence of the center was classified.

Those are just two sub-questions out of a list of 17 multi-part questions centrist Sens. Joe Lieberman (I-Connecticut) and Susan Collins (R-Maine) sent to DHS in a letter Friday.

In fact, although the two say they asked for a briefing five months ago on what the center does, DHS has yet to explain its latest acronym.

More here.

The Tangled Web of PCI Compliance

Richard Adhikari writes on internetnews.com:

Fear and loathing will dominate when Best Practice 6.6 of the PCI Data Security Standard becomes a requirement June 30.

The regulation requires that merchants dealing with debit and credit cards tighten up their security by both conducting application code reviews and installing Web application firewalls.

It was put forth by the PCI Security Standards Council, which issues, maintains and enforces the PCI security standards that govern payment account data security to which all corporations that deal with payment cards must adhere.

However, while stating that "proper implementation of both options would provide the best multi-layered defense", the Council says, in essence, that some merchants won't be able to implement both. The solution: select the best option for their needs. This is leading to compliance problems.

More here.

Military Computer Contractor Convicted of ID Theft

Grant Gross writes on InfoWorld:

A former U.S. military contractor has pleaded guilty to exceeding authorized access to a computer and aggravated identity theft after he was accused of selling names and Social Security numbers of 17,000 military employees, the U.S. Department of Justice said.

Randall Craig, 41, of Houston, pleaded guilty Friday to both counts of an indictment returned in April by a grand jury in U.S. District Court for the Southern District of Texas. Craig acknowledged selling information contained in a military database to a person he believed to represent a foreign government, according to the U.S. Attorney's Office for the Southern District of Texas and the U.S. Federal Bureau of Investigation.

The person who purchased the names and Social Security numbers from Craig was an undercover FBI agent, they said.

Craig worked as a private computer contractor at the Marine Corps Reserve Center in San Antonio, Texas, in September 2007, and he had access to personal information of U.S. Marines in the center's database, the DOJ said.

More here.

Botnet Targets .EDU and .MIL Systems

Matthew Broersma writes on TechWorld.com:

Security researchers have discovered a complex spamming scheme that hijacks users' PCs in order to attempt to send junk mail via university and military systems.

Researchers at Romania-based BitDefender said the scheme, based on a backdoor called Edunet, was one of the most complicated and mysterious they've come across.

The scam starts with junk emails that offer links to videos. When a user clicks on the link he is prompted to download a "media player" - something that should in itself ring alarm bells, since most videos currently use players embedded in a web page or in the operating system itself.

The "media player" download is in fact the Edunet backdoor, which creates a botnet used to attempt to send spam via a list of mail servers, BitDefender said.

One of the curiosities of Edunet is that these mail servers are mostly in the .edu and .mil domains. On these servers the botnet looks for open relays - a type of misconfiguration often used by spammers to disguise the real origins of the junk mail.

More here.

White House Plans Proactive Cyber-Security Role for Spy Agencies

Brian Krebs writes in The Washington Post:

America's spy agencies for the first time would be tasked with gathering intelligence on threats to the nation's computer networks under a policy set to be detailed by the White House next week, a senior administration official said Wednesday.

Speaking at a security conference in Washington, the official said the Bush administration wants to harness the intelligence community's offensive capabilities in defense of government and civilian computer systems.

In January, President Bush signed a directive authorizing the intelligence agencies, including the National Security Agency, to monitor all federal network traffic to prevent attackers from breaking in and from stealing sensitive data or disrupting critical systems.

More here.

How One Site Dealt With SQL Injection Attack

Ellen Messmer writes on NetworkWorld:

The massive wave of SQL injection attacks that started striking Microsoft-based Web sites around the world more than a week ago claimed as one of its victims Autoweb, a U.K.-based advertising and marketing site.

The ongoing attack, which hit Autoweb on a late Friday, exploited a vulnerability in a single line of code in the Web application to pierce through to the company’s Microsoft SQL database, inject 30 characters to overwrite content, defaced Web pages, and ultimately knocked the site offline. The attack left Web pages that would attempt to inject malicious code into browsers of Web visitors.

t is estimated that at least a half-million Web pages had been infected in a similar style since it was flagged by security experts April 24. How Autoweb had to fight to recover its site over the long weekend that followed shows how devastating SQL injection attacks can be.

More here.

Thursday, May 01, 2008

U.S. Toll in Iraq


Via The Boston Globe (AP).

As of Thursday, May 1, 2008, at least 4,065 members of the U.S. military have died since the beginning of the Iraq war in March 2003, according to an Associated Press count. The figure includes eight military civilians. At least 3,312 died as a result of hostile action, according to the military's numbers.

The AP count is one more than the Defense Department's tally, last updated Thursday at 10 a.m. EDT.

More here.

And as always, the Iraq Coalition Casualty Count keeps the grim watch on their website here.

Honor the Fallen.

Off Beat: California's Population Tops 38 Million


An AP newswire article, via CBS5.com, reports that:

California's population has topped 38 million, making it home to one in every eight Americans.

The state Department of Finance estimates that California topped the 38 million benchmark by nearly 50,000 residents on January 1. That's up by nearly half a million people, or more than 1 percent, from a year ago.

More here.

Estonian Cyber Attacks: Lessons Learned, A Year Later

Tom Espiner writes on ZDNet UK:

The idea that attacks on computer systems could provide an alternative method of spreading terror and disruption has been a concern for governments since IT systems began to proliferate.

But it wasn't until Estonia suffered a series of concerted attacks in April 2007 that theory became reality. The movement of the Bronze Soldier, a Soviet-era war memorial commemorating an unknown Russian who died fighting the Nazis, from a square in the capital Tallinn to a military cemetery, has been traced as the main flashpoint for the attacks.

Protests and riots involving ethnic Russians living in the country were the immediate result, but what no-one foresaw was the subsequent series of attacks aimed at computer systems managing the country's critical national infrastructure.

More here.

Note: I also noted over on the Trend Micro Malware Blog that "Hacktivism" incidents are becoming more frequent, and much more malicious. -ferg

UK: Fraud Losses by Banks Shifted Onto Consumers

Via SecurityPark.net.

The newly revised UK British Banking code means that fraud losses by banks will now be shifted onto consumers. The new code allows banks to hold customers personally responsible if they have not taken adequate security measures to protect themselves.

The research, published this month by analyst firm Gartner, documented that 37% of respondents were unsure how they had become victims of credit card fraud and a further 19% attributed credit card account breaches to retailers, government agencies or third parties. Data from the US and the rest of Europe also suggests that similar trends exist, as companies in these regions are looking to adopt a similar policy.

While the new guidelines advise that customers' computers must be kept secure to protect sensitive data, it offers little or no real assistance on how to use firewall and antivirus/spyware protection effectively or ensure adequate security standards.

More here.

Analysis Reveals No Security Breach, No Personal Data Exposed At CU-Boulder

Via The University of Colorado at Boulder.

The University of Colorado at Boulder today announced that a forensic analysis of a computer suspected to have been compromised last week revealed no malicious software, and no exposure of student and staff private data.

"The analysis by our staff, working closely with the consulting firm of Applied Trust Engineering, revealed an interaction between two incompatible software programs that mimicked behavior consistent with malicious software," said Dan Jones director of IT Security at CU-Boulder.

"The functioning of the computers led us to initiate our data breach protocol, which includes providing notice to the community of a potential threat of identity theft," Jones said.

Dennis Maloney, chief technology officer for CU-Boulder, said, "While the data was not compromised, this incident still reinforces the need to continue to constantly improve IT security at CU. We also intend to share our discovery of the software incompatibilities with our colleagues."

More here.

Hat-tip: The Data Loss Mailing List

EFF: Congress Must Investigate Electronic Searches at U.S. Borders

Via EFF.org.

The Electronic Frontier Foundation (EFF) and a broad coalition, including civil rights groups, professional associations and technologists, called on Congress today to hold oversight hearings on the Department of Homeland Security's search and seizure of electronic devices at American borders.

The press has widely reported disturbing stories about U.S. citizens subject to intrusive searches of their laptops and cell phones. But a recent court decision found that customs officials can search travelers' computers at the border without suspicion or cause. In a letter sent to the House and Senate Homeland Security and Judiciary committees today, the coalition urges lawmakers to consider passing legislation to prevent abusive search practices by border agents and to protect all Americans from suspicionless digital border inspections.

"Our computers, cell phones, and other electronic devices hold a vast amount of personal information like financial data, health histories, and personal emails and letters," said EFF Staff Attorney Marcia Hofmann. "In a free country, the government cannot have unlimited power to read, seize, and store this information without any oversight."

So far, the Department of Homeland Security has refused to release its policies and procedures for conducting these intrusive searches. EFF and the Asian Law Caucus have filed suit against the Department of Homeland Security to obtain the information through the Freedom of Information Act.

More here.

FISA Watch: Secret Intelligence Court Approves Record 2,370 Warrants

An AP newswire article, via MSNBC, reports that:

The U.S. secret intelligence court approved a record number of requests to search or eavesdrop on suspected terrorists and spies last year, the Justice Department said.

The Foreign Intelligence Surveillance Court approved 2,370 warrants last year targeting people in the United States believed to be linked to international terror organizations.

That figure represents a 9 percent increase over 2006. The number of warrants has more than doubled since the terrorist attacks of 2001.

More here.

Botnets: As Storm Calms Down, Srizbi Gains Steam

Robert Vamosi writes on the C|Net "D3F3NS3 1N D3PTH" Blog:

On Thursday, MessageLabs reported in its April Intelligence report [.pdf] a marked decrease in the number of malware links connected to the Storm botnet. "It's not too often that a security company says that things are getting better," said Mark Sunner, chief security analyst.

At its peak, Sunner said, the Storm botnet resided on 1 million computers worldwide. That number has since decreased to about 85,000 Internet Protocol addresses at the end of April.

Over the last 18 months, Storm has been constant, never decreasing in prevalence, according to MessageLabs research. "Other security companies have reported decreases in the past," Sunner said, because of different methods of studying the botnet, "but this is first decrease we've seen."

Sunner credited the most recent patches from Microsoft for the decline. In the weeks following the most recent Patch Tuesday, he said, there was a sharp dropoff in Storm-related activity.

More here.

Note: Then again, a botnet of ~85,000 nodes is nothing to sneeze at. -ferg

Wednesday, April 30, 2008

Mark Fiore: General Happy Swellspin (Ret.)



More Mark Fiore Brilliance.

Enjoy.

- ferg

Via The San Francisco Chronicle.

U.S. Toll in Iraq


Via The Boston Globe (AP).

As of Wednesday, April 30, 2008, at least 4,062 members of the U.S. military have died since the beginning of the Iraq war in March 2003, according to an Associated Press count. The figure includes eight military civilians. At least 3,307 died as a result of hostile action, according to the military's numbers.

The AP count is four more than the Defense Department's tally, last updated Wednesday at 10 a.m. EDT.

More here.

And as always, the Iraq Coalition Casualty Count keeps the grim watch on their website here.

Honor the Fallen.

BAE Secures U.S. Military Contract to Protect Aganist Cyber Attacks

Via UPI.

British company BAE Systems is making a new military communications network protected against cyberattacks.

The company said in a statement Thursday it was producing what it called a new "intrinsically secure" mobile military communications network that could resist cyberattacks.

BAE Systems said it would make and check out network protocols that would protect the integrity, availability, reliability, confidentiality, and safety of network communications and data.

The $8.5 million project is being funded by U.S. Department of Defense's Defense Advanced Research Projects Agency -- DARPA and the program is called the Intrinsically Assurable Mobile Ad hoc Network. The aim of the project is to produce solutions to the weaknesses of current mobile ad hoc networks which are vulnerable to passive analysis and manipulation by enemy action, BAE Systems said.

More here.

Hackers Hit French Website Over China Poll

A Reuters newswire article, via The Globe and Mail, reports that:

Hackers attacked the website of a French magazine this month, attempting to sway an opinion poll on the Beijing Olympics and change the site's content, its publisher said on Wednesday.

Jean-Joel Gurviez said the website of business magazine Capital was first hit in March, when it opened a poll on whether France should boycott the Games' opening ceremony in China.

“On the first day, we had about 300 responses, which was normal for this type of poll, and they were 80 per cent in favour of a boycott. The next day there were 20,000 responses, with 80 per cent opposing a boycott,” he said.

Almost all of the responses arrived via Chinese servers, Gurviez said, leading technicians to initially think the influx was driven by Chinese sites directing patriotic fans to vote.

“But a few days later we had hackers operating off servers in China try to change our content, and there were 2.5 million attempts to access protected files. We had to shut down the site temporarily,” he said.

More here.

Israeli Private Investigators Guilty in Espionage, Spyware Case

Carolyn Hunter writes on SC Magazine Online:

Four members of Modi'in Ezrahi, an Israeli private investigation company have been found guilty of using spyware to steal information from businesses.

The private investigators used a Trojan horse designed by a London-based couple, Michael and Ruth Haephrati, to allegedly spy on and steal information from companies including HOT, a cable television group and Rani Rahav PR agency.

According to reports, three of the investigation firm's employees were given jail terms ranging from nine months to 19 months. Yitzhak Rett, former CEO of Modi'in Ezrahi, was fined 250,000 Israeli Shekels (£36,500) and sentenced to ten months on parole after admitting the offences under a plea bargain.

Israeli authorities first uncovered the industrial espionage plot in 2005 and believe Modi'in Ezrahi is one of a number of firms involved.

More here.

Pentagon Launches Foreign News Propaganda Campaign


Peter Eisler writes for USA Today:

The Pentagon is setting up a global network of foreign-language news websites, including an Arabic site for Iraqis, and hiring local journalists to write current events stories and other content that promote U.S. interests and counter insurgent messages.

The news sites are part of a Pentagon initiative to expand "Information Operations" on the Internet. Neither the initiative nor the Iraqi site, www.Mawtani.com, has been disclosed publicly.

At first glance, Mawtani.com looks like a conventional news website. Only the "about" link at the bottom of the site takes readers to a page that discloses the Pentagon sponsorship. The site, which has operated since October, is modeled on two long-established Pentagon-sponsored sites that offer native-language news for people in the Balkans and North Africa.

Journalism groups say the sites are deceptive and easily could be mistaken for independent news.

More here.

NASA Review Board Stacked With Contractors


An AP newswire article, via MSNBC, reports that:

A board set up to review construction of the spaceship to return astronauts to the moon is loaded with employees of the very contractors they are supposed to scrutinize, breaking federal law, a government watchdog says.

The board chairman, former Skylab astronaut Ed Gibson, and five other members work for companies hired by NASA on the multi-billion-dollar space shuttle replacement program.

The NASA inspector general, the agency's in-house watchdog, calls that a conflict of interest and recommends suspending the six board members.

More here.

U.S. Air Marshals on the No-Fly List

Audrey Hudson writes on The Washington Times:

False identifications based on a terrorist no-fly list have for years prevented some federal air marshals from boarding flights they are assigned to protect, according to officials with the agency, which is finally taking steps to address the problem.

Federal Air Marshals (FAMs) familiar with the situation say the mix-ups, in which marshals are mistaken for terrorism suspects who share the same names, have gone on for years — just as they have for thousands of members of the traveling public.

One air marshal said it has been "a major problem, where guys are denied boarding by the airline."

"In some cases, planes have departed without any coverage because the airline employees were adamant they would not fly," said the air marshal, who asked not to be named because the job requires anonymity. "I've seen guys actually being denied boarding."

More here.

Hat-tip: Aviation Nation

3Com's New Chief to be Based in China

Marguerite Reardon writes on the C|Net News Blog:

Network equipment maker 3Com announced Wednesday a new CEO who will be based in China.

Robert Mao, 64, will succeed Edgar Masri as chief executive officer. Mao, who is fluent in Mandarin and English, had most recently been 3Com's executive vice president for corporate development. Prior to working at 3Com, he headed up Nortel Network's China operations. And before that he had worked for the French telecommunications equipment maker Alcatel, which is now Alcatel-Lucent.

The news of the management shift comes after the U.S. government essentially put the kibosh on a proposed $2.2 billion buyout of 3Com by Bain Capital Partners and Huawei Technologies.

More here.

Echelon Watch: New Zealand Satellite Base Damaged in Anti-U.S. Protest

Antenna Units in the Waihopai Valley

Patrick Goodenough writes for CNSNews.com:

In an embarrassing security breach, anti-war activists in New Zealand early Wednesday broke into a communications facility they say is part of a global surveillance system that benefits the U.S. anti-terrorist campaign.

Three men were arrested after members of a group calling itself ANZAC Ploughshares said they cut through fences and slashed one of two giant white radomes covering satellite dishes, deflating the ball-shaped structure.

The Waihopai base on New Zealand's South Island is operated by the Government Communications Security Bureau (GCSB). The Wellington-based agency says its functions are to collect and provide the New Zealand government with foreign intelligence, and to provide advice and expertise to ensure that the government's official information is protected.

Groups that have been protesting against the site for years claim it is part of a global eavesdropping network providing intelligence to the U.S. National Security Agency, and involving listening stations in Britain, Australia, New Zealand and Canada.

More here.

Image source: Cryptome.org

Tuesday, April 29, 2008

Ex-UCLA Worker Accused of Selling Celebrity's Personal Info

An AP newswire article, via MSNBC, reports that:

A former UCLA Medical Center employee was indicted on charges that she accessed the records of dozens of high-profile patients and selling the information to a media outlet, prosecutors said Tuesday.

The indictment follows revelations of privacy breaches involving at least 61 patients at the University of California, Los Angeles’ hospitals, including actress Farrah Fawcett, singer Britney Spears and California first lady Maria Shriver.

The indictment accuses Lawanda Jackson, 49, of one count of illegally obtaining individually identifiable health information for commercial advantage. Under seal since April 9, the indictment was made public Tuesday.

More here.

U.S. Toll in Iraq


Via The Boston Globe (AP).

As of Tuesday, April 29, 2008, at least 4,056 members of the U.S. military have died since the beginning of the Iraq war in March 2003, according to an Associated Press count. The figure includes eight military civilians. At least 3,306 died as a result of hostile action, according to the military's numbers.

The AP count is one fewer than the Defense Department's tally, last updated Tuesday at 10 a.m. EDT.

More here.

And as always, the Iraq Coalition Casualty Count keeps the grim watch on their website here.

Honor the Fallen.

U.S. Dept. of Justice IP Address Blocked After 'Vandalism' Edits to Wikipedia

Via Mister-Info.com.

Wikinews has learned that a United States Department of Justice (DOJ) IP Address has been blocked on Wikipedia after making edits to an article which were considered "vandalism". In two separate instances, the IP address from the DOJ removed information from the Wikipedia article about the organization Committee for Accuracy in Middle East Reporting in America (CAMERA), regarding an attempt by the organization to secretly gain influence on the site.

The IP address has been confirmed by Wikinews to be registered and used by the DOJ located in Washington, D.C.

More here.

Hat-tip: The Inquirer

In Passing: Dr. Albert Hofmann


Albert Hofmann
January 11, 1906 – April 29, 2008


Microsoft Helps Law Enforcement Get Around Encryption

Nancy Gohring writes on CIO.com:

The growing use of encryption software -- like Microsoft's own BitLocker -- by cyber criminals has led Microsoft to develop a set of tools that law enforcement agents can use to get around the software, executives at the company said.

Microsoft first released the toolset, called the Computer Online Forensic Evidence Extractor (COFEE), to law enforcement last June and it's now being used by about 2,000 agents around the world, said Anthony Fung, senior regional manager for Asia Pacific in Microsoft's Internet Safety and Anti-Counterfeiting group. Microsoft gives the software to agents for free.

While Microsoft can point to wide usage of COFEE, some experts are skeptical about using that type of tool to recover data, and even the developer of the product at Microsoft acknowledges that it's not accepted by some users.

More here.

How German Spies Eavesdropped on an Afghan Ministry

Via Spiegel Online.


It was an extravagant promise, one delivered in a state of contriteness. Ernst Uhrlau, the president of Germany's foreign intelligence agency, the Bundesnachrichtendienst (BND), said in a 2006 interview: "When it comes to the private sphere of a journalist, then I have to draw the line." The agency, he said, had "gone too far" and, in the future, "absolute respect for the private sphere" would be its guiding principle. Transparency, Uhrlau said, is important to "ensure that we do not convey the impression that journalists are under surveillance."

Uhrlau's comments were in response to a scandal where journalists had been illegally observed and spied on by informers. The spy chief clearly believed that it was the right time for the kind of promise he made.

And yet it was not a promise he kept -- that much is clear. On June 6, 2006, eight days before Uhrlau uttered his trite assurances, a foolhardy operation began in which a journalist was placed under surveillance once again. This time it was SPIEGEL reporter Susanne Koelbl. The BND, by intercepting and reading her e-mail correspondence with Afghan Commerce Minister Amin Farhang), has triggered a new scandal -- one with the potential to inflict serious political damage, both domestically and abroad.

More here.

Hat-tip: Halvar Flake

Monday, April 28, 2008

MySpace Wins Suit Against 'Spam King'

Greg Sandoval writes on the C|Net News Blog:

Sanford Wallace, the so-called spam king, has often been accused of sending annoying messages that are typically ignored by the recipient. Perhaps he considered a series of court orders as something he could blow off.

If he did, he was wrong. MySpace has won a legal judgment against Wallace after he failed numerous times to turn over documents or even to show up for court, according to documents obtained by CNET News.com.

In March of last year, MySpace filed suit alleging that Wallace launched a phishing scam in October 2006 to fraudulently access MySpace profiles. Wallace was also accused of spamming thousands of MySpace users with unwanted advertisements and luring them to his Web sites.

To say Wallace, who could not be reached for comment, failed to mount a vigorous defense would be an understatement.

More here.

GAO: White House Undermines EPA on Cancer Risks

An AP newswire article by H. Josef Hebert, via SFGate.com, reports that:

The Bush administration is undermining the Environmental Protection Agency's ability to determine health dangers of toxic chemicals by letting nonscientists have a bigger — often secret — role, congressional investigators say in a report obtained by The Associated Press.

The administration's decision to give the Defense Department and other agencies an early role in the process adds to years of delay in acting on harmful chemicals and jeopardizes the program's credibility, the Government Accountability Office concluded.

At issue is the EPA's screening of chemicals used in everything from household products to rocket fuel to determine if they pose serious risk of cancer or other illnesses.

A new review process begun by the White House in 2004 is adding more speed bumps for EPA scientists, the GAO said in its report, which will be the subject of a Senate Environment Committee hearing Tuesday. A formal policy effectively doubling the number of steps was adopted two weeks ago.

More here.

Société Générale Goat Gets IT Consulting Job

Tim Wilson writes on Dark Reading:

The man who caused one of the worst security breaches in the history of the world now has a new job: He's an IT consultant.

Jerome Kerviel is accused of breaking into computer systems to make risky trades that cost Société Générale more than $7.7 billion. Now, he's working at Lemaire Consultants & Associés, a consultancy specializing in IT network installation and security, according to a Wall Street Journal report.

Kerviel started his new gig weeks ago, shortly after his release from more than a month in prison, according to his lawyer. An LCA employee confirmed Kerviel works for the firm, but declined to discuss the nature of his employment.

More here.

U.S. Radio Websites in Eastern Europe Hit by Denial of Service Attacks

An AFP newswire article, via Breitbart.com, reports that:

Websites run by US Radio Free Europe/Radio Liberty, based in eastern Europe, have been hit by an "unprecedented" cyberattack, management said Monday.

"The attack, which started on April 26, initially targeted the website of RFE/RL's Belarus Service, but quickly spread to other sites," a statement on its website said.

"Within hours, eight RFE/RL websites (Belarus, Kosovo, Azerbaijan, Tatar-Bashkir, Radio Farda, South Slavic, Russian, and Tajik) were knocked out or otherwise affected," it added.

Belarus Service Director Alexander Lukashuk said that the problems began on the 22nd anniversary of the Chernobyl nuclear catastrophe.

More here.

University of Colorado at Boulder Discloses Data Breach

Ellen Messmer writes on NetworkWorld:

The University of Colorado at Boulder says it is investigating the impact of a data breach discovered last Friday that may have given an attacker access to private information on 9,000 students and 500 instructors.

Three computers used in the Division of Continuing Education and Professional Studies were discovered to be compromised, and the university has called in Applied Trust Engineering to help with a forensics investigation. It didn't take special software or skills to notice one computer was compromised, though: It was performing tasks such as re-booting, much to the surprise of users and IT staff.

More here.

Banks Told to Prep for New International ACH Rules

Nancy Feig writes on Bank Systems & Technology:

There is less than a year before the NACHA rule and format for international ACH transactions (IATs) go live. The rule change, which will enable all U.S. financial institutions to readily identify cross-border payments carrying remittance information that details all the parties to the payment, takes effect March 20, 2009, and presents both opportunities and challenges for banks.

The new IAT rule will identify international automated clearing house (ACH) transactions by focusing on where the financial agency that handles the payment transaction is located, according to NACHA, the Herdon, Va.-based payments organization. As a result, certain international transactions that currently are formatted as domestic transactions because they are conducted through a U.S.-based correspondent relationship instead will be classified as IATs.

More here.

NSA Seeks Feedback on IPv6 Security Recommendations

Dan Campbell writes on GCN.com:

The National Security Agency’s Central Security Service has released a pair of IPv6-related documents titled Firewall Design Considerations for IPv6 and A Filtering Strategy for Mobile IPv6 for industry review and feedback.

One of the most frequently cited impediments to IPv6 deployment is the lack of IPv6 features in security products. Network administrators are nervous about implementing the new protocol and opening up security holes without having the tools to mitigate them. The NSA documents by Casimir Potyraj call for firewall vendors and other security experts to comment on what is practical to implement in security products.

Potyraj called attention to the “unconstrained flexibility allowed by IPv6 specifications” that must be considered when designing security products. For example, a major improvement in IPv6 is the replacement of seldom-used IPv4 header fields with optional extension headers that can be used to provide additional services and packet handling. Potyraj expressed concern that the flexibility allowed in the IPv6 specifications on extension headers, including the order in which the headers appear in the packet, may facilitate attacks or impair security product vendors’ ability to implement techniques to thwart them.

More here.

Sunday, April 27, 2008

U.S. Toll in Iraq



Via The Boston Globe (AP).

As of Friday, April 25, 2008, at least 4,052 members of the U.S. military have died since the beginning of the Iraq war in March 2003, according to an Associated Press count. The figure includes eight military civilians. At least 3,301 died as a result of hostile action, according to the military's numbers.

The AP count is three more than the Defense Department's tally, last updated Friday at 10 a.m. EDT.

More here.

And as always, the Iraq Coalition Casualty Count keeps the grim watch on their website here.

Honor the Fallen.

Charlie Wilson's War: Fucking Up The End Game


I just watched "Charlie Wilson's War" on DVD this afternoon. It was fun.

With the obvious star power (Tom Hanks, Julia Roberts, Philip Seymour Hoffman, et al.), it is a very entertaining movie.

But aside from that, there are some very poignant issues in this film -- namely, the fact that the U.S. covertly intercedes in issue it feels are critical to international security (or its own interests), and then leaves it in a shit pile, to fester into a later international security crisis.

This is not a recent phenomenon.

Regarding the situation in Afghanistan specifically, the U.S. created it's own destiny, for the right reason, in the wrong fashion, and with political incompetence.

The threat of the Soviet Union's aggression into Afghanistan became a "cause celeb" in the inner circles of the U.S. Intelligence community in the mid-1980's, but after the Soviets retreated from Afghanistan, the U.S. political will evaporated and became completely ensconced in issues not related to the upsurge of collective terrorist activity that suddenly became enamored with Afghanistan.

In fact, they completely missed it altogether.

This has become a very dangerous serial behavioral model for U.S intelligence since Vietnam -- leap-frogging from one "critical" hot spot to another -- in effect, firefighting groundswell issues while being blinded to cultural hot spots which are cropping up globally, in response to The United States' ineptitude in foreign policy management.

In any event, "Charlie Wilson's War" is a great film -- it accurately portrays factual issue (albeit with a Hollywood flair) -- but also hints at how the groundwork was laid for future mismanagement Cluster Fucks (or as we used to call them in the Army, "Charlie Foxtrots".)

Enjoy.

- ferg

Off-Topic: Letters Give CIA Tactics a Legal Rationale


Mark Mazzetti writes in The New York Times:

The Justice Department has told Congress that American intelligence operatives attempting to thwart terrorist attacks can legally use interrogation methods that might otherwise be prohibited under international law.

The legal interpretation, outlined in recent letters, sheds new light on the still-secret rules for interrogations by the Central Intelligence Agency. It shows that the administration is arguing that the boundaries for interrogations should be subject to some latitude, even under an executive order issued last summer that President Bush said meant that the C.I.A. would comply with international strictures against harsh treatment of detainees.

While the Geneva Conventions prohibit “outrages upon personal dignity,” a letter sent by the Justice Department to Congress on March 5 makes clear that the administration has not drawn a precise line in deciding which interrogation methods would violate that standard, and is reserving the right to make case-by-case judgments.

More here.

Note: Just because the Bush Administration has redefined what "torture" actually means to suit their needs, this affront to human rights & international law flies in the face of reason and common sense. These tactics have made the United States more hated by its enemies, lowered its standing in the civilized world, and smeared the honor and dignity of American citizens. It is sickening.

History will judge the George W. Bush very harshly indeed for his amazingly poor decisions, malicious mismanagement of the country he vowed to serve & protect, and his incompetent execution of the duties of his office. -ferg